Lehigh
Lehigh
Type File virus
Creator
Date Discovered 1987.11
Place of Origin Bethlehem, PA, USA
Source Language Assembly
Platform DOS
File Type(s) .com
Infection Length 555 bytes
Reported Costs

Lehigh is an early DOS virus that infects only COMMAND.COM. While it is a file virus, the fact that it only infects one particular file on each disk causes it to behave in a way similar to a boot sector virus. An earlier virus named Rushhour behaved in a similar way, as it would only infect a German keyboard driver.

Behavior

When a disk with an infected COMMAND.COM file is accessed, Lehigh installs itself in memory. Lehigh searches for a COMMAND.COM on other available disks. As a cavity infector, the virus fills an unused portion of the of the host file's code in its stack space, causing no increase in the host's size. It can infect another COMMAND.COM file if a DOS disk is inserted while the virus is in memory.

Lehigh keeps an infection count in its body. After 4 infections, the virus may overwrite the boot sector and file allocation table.

Variants

A few variants of this virus exist. Most of them only differ in the number of infections before the payload is triggered.

Other Facts

Ken Van Wyk created some hype over the virus, but there is no evidence that it spread much beyond Lehigh University. Van Wyk would later start the VIRUS-L Usenet group.

A simple way to prevent the virus is to make COMMAND.COM a read-only file.

A virus named Diogenes contains a message saying "another fine product of the Lehigh Valley", possibly a reference to this virus.

Name

Lehigh was named after Lehigh University, where it was first found. Today, this is in violation of the CARO naming scheme, but this virus predates that scheme by a few years.

Antivirus Aliases

  • Avast: Lehigh
  • Avira: Lehigh #1 virus
  • Bitdefender: Virus.Lehigh
  • ClamAV: Lehigh.1
  • F-Secure: Virus.DOS.Lehigh [AVP]
  • Kaspersky: Virus.DOS.Lehigh
  • McAfee: Lehigh.dr
  • Symantec: Lehigh
  • Trend Micro: LEHIGH.DR

Sources

Peter Szor. The Art of Computer Virus Research and Defense, Chapter 3, Section 5.1, pp. 137, 198. Addison-Wesley, Pearson Education, Symantec Press; Upper Saddle River, New Jersey: 2005. ISBN: 0321304543

McAfee Antivirus, Lehigh. (Japanese)

Computer Break, Computer Sickness Reported - User Vigilance Required. 1988.01.15

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License